Privacy Policy
LyLo (“LyLo”, “we”, “us”) is a dating app for iOS. This policy explains what data we collect, why, and what control you have over it. Questions: support@lylo.dating.
The short version: we collect only what the app needs to work, we never sell your data, we show other users your city — never your exact location, and you can permanently delete everything yourself, right in the app.
1. What we collect
- Account data. Your phone number (when you sign in with an SMS code) or your Apple ID (when you use Sign in with Apple). We use it only to sign you in and protect your account.
- Profile data. What you fill in yourself: name, date of birth, gender, orientation, who you want to meet, city, height, photos, interests, and prompt answers. Other users see your profile with your age — never your exact date of birth.
- Verification selfie. If you verify your profile, you take a selfie in a requested pose. With your explicit consent, it is used solely by our moderation team to confirm the profile is genuine. It is stored in private, access-controlled storage and is never shown to other users.
- Location. We ask for your approximate location to show people nearby. Coordinates are coarsened on your device to roughly 1 km before they are ever sent to us. Other users only see your city and an approximate distance. We never collect or share your precise location.
- Messages. Text and voice messages, reactions, and replies you exchange with your matches are delivered and stored by our servers so your conversations work across devices. Voice messages are kept in private storage and served via short-lived access links.
- Safety data. Blocks and reports you make or that are made about you. When you report a conversation, up to the last 30 messages may be attached to the report (the report form tells you this) — visible only to our moderation team.
- Purchases. Subscriptions are processed by Apple. We only receive your subscription status. We never see your payment card details.
- Device & diagnostics. A push notification token (only if you enable notifications), app version, language, and first-party usage analytics (which screens and features are used). Crash and performance diagnostics are collected via Apple’s MetricKit. Our analytics never contain message contents, names, or precise coordinates.
2. What we don’t do
- We do not sell or rent your personal data. Ever.
- We do not show third-party ads and do not use third-party advertising or tracking SDKs.
- We do not use the Apple advertising identifier (IDFA) and do not track you across other companies’ apps or websites.
3. How we use your data
- To run the service: show you profiles, deliver likes, matches and messages, and sync your account.
- To keep the community safe: verification, moderation of reports, and preventing fraud and abuse.
- To improve the product: aggregated, de-identified usage analytics.
- To notify you: push notifications about matches and messages, which you can configure or turn off at any time. Message notifications never include the message text; you can also hide sender names (“discreet mode”).
4. Who we share data with
Only with service providers that process data on our behalf, under contracts that restrict how they may use it:
- Supabase — database, storage, and backend hosting.
- Twilio — delivery of SMS sign-in codes (they process your phone number for this purpose only).
- Apple — Sign in with Apple, push notifications, and payments.
- Vercel — hosting of this website.
We may disclose data if required by law, or to protect the rights and safety of our users. Where data is transferred internationally, we rely on appropriate safeguards such as standard contractual clauses.
5. How long we keep it
- Your data is kept while your account is active.
- Deleting your account (Profile → Delete account) permanently erases your profile, photos, selfie, messages, matches, and analytics identifiers.
- Safety exception: if a conversation was blocked or reported, minimal related data may be retained for up to 90 days (at most 180 days in ongoing cases) to protect users, then deleted. Resolved report attachments are removed within 30 days of resolution.
- Usage analytics events are retained for at most 180 days.
6. Your rights
You can access and edit your profile data directly in the app, and delete your account (and all associated data) yourself at any time. Depending on where you live (including GDPR and UK GDPR regions, and California), you may also have rights to access, correct, delete, or receive a copy of your data, and to lodge a complaint with your supervisory authority. To exercise any right, email support@lylo.dating.
Where GDPR applies, our legal bases are: performance of contract (running the service), legitimate interests (safety and fraud prevention), and consent (verification selfie, location access, notifications). California residents: we do not sell or share personal information as defined by the CCPA/CPRA.
7. Age
LyLo is strictly for adults 18 and over. We do not knowingly collect data from anyone under 18; such accounts are removed.
8. Security
All traffic is encrypted in transit (TLS). Data is stored with row-level access controls; sensitive media (verification selfies, voice messages) live in private storage accessible only via short-lived signed links. Access by our team is limited to what moderation and support require.
9. Changes
If we make material changes to this policy, we will notify you in the app before they take effect. The current version is always at lylo.dating/privacy.